import clevis-21-6.el10

SOURCES/0003-Fix-to-start-pcscd-appropriately.patch

@@ -0,0 +1,110 @@
+From c987b0a95d9ebcb310cc3b95609172a8fe31e81e Mon Sep 17 00:00:00 2001
+From: Sergio Arroutbi <sarroutb@redhat.com>
+Date: Wed, 9 Oct 2024 12:15:18 +0200
+Subject: [PATCH] Fix to start pcscd appropriately
+
+diff --git a/src/luks/dracut/clevis-pin-pkcs11/clevis-pkcs11-hook.sh b/src/luks/dracut/clevis-pin-pkcs11/clevis-pkcs11-hook.sh
+index 01a3062..9922bbc 100755
+--- a/src/luks/dracut/clevis-pin-pkcs11/clevis-pkcs11-hook.sh
++++ b/src/luks/dracut/clevis-pin-pkcs11/clevis-pkcs11-hook.sh
+@@ -16,9 +16,11 @@
+ # You should have received a copy of the GNU General Public License
+ # along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ #
++. /usr/bin/clevis-pkcs11-common
++
+ if [ ! -f /run/systemd/clevis-pkcs11.run ] && [ -d /run/systemd ];
+ then
+-  pcscd --disable-polkit
+-  echo "" > /run/systemd/clevis-pkcs11.run
+-  /usr/libexec/clevis-luks-pkcs11-askpin -d -r
++    clevis_start_pcscd_server
++    echo "" > /run/systemd/clevis-pkcs11.run
++    /usr/libexec/clevis-luks-pkcs11-askpin -d -r
+ fi
+diff --git a/src/luks/systemd/clevis-luks-pkcs11-askpin.in b/src/luks/systemd/clevis-luks-pkcs11-askpin.in
+index b860efa..468ca3c 100755
+--- a/src/luks/systemd/clevis-luks-pkcs11-askpin.in
++++ b/src/luks/systemd/clevis-luks-pkcs11-askpin.in
+@@ -52,22 +52,7 @@ get_pkcs11_error() {
+     return 0
+ }
+ 
+-
+-if command -v pcscd; then
+-    echo "clevis-pkcs11: starting pcscd if not available ..."
+-    PCSCD_PID=$(ps auxf | grep "[p]cscd")
+-    echo -e "clevis-pkcs11: pcscd running?:[${PCSCD_PID}]\n"
+-    if ! ps auxf | grep "[p]cscd";
+-    then
+-        if pcscd pcscd --help | grep disable-polkit 1>/dev/null 2>/dev/null; then
+-            echo "clevis-pkcs11: starting pcscd with --disable-polkit option ..."
+-            pcscd --disable-polkit
+-        else
+-            echo "clevis-pkcs11: starting pcscd ..."
+-            pcscd
+-        fi
+-    fi
+-fi
++clevis_start_pcscd_server
+ 
+ if [ "${dracut_mode}" != true ]; then
+     pkcs11-tool -L
+diff --git a/src/pins/pkcs11/clevis-pkcs11-common b/src/pins/pkcs11/clevis-pkcs11-common
+index 571a2be..c7f2a58 100755
+--- a/src/pins/pkcs11/clevis-pkcs11-common
++++ b/src/pins/pkcs11/clevis-pkcs11-common
+@@ -77,6 +77,24 @@ clevis_detect_pkcs11_device() {
+     done
+ }
+ 
++clevis_start_pcscd_server() {
++    if command -v pcscd; then
++        echo "clevis-pkcs11: starting pcscd if not available ..."
++        PCSCD_PID=$(ps auxf | grep "[p]cscd")
++        echo -e "clevis-pkcs11: pcscd running?:[${PCSCD_PID}]\n"
++        if ! ps auxf | grep "[p]cscd";
++        then
++            if pcscd --help | grep disable-polkit 1>/dev/null 2>/dev/null; then
++                echo "clevis-pkcs11: starting pcscd with --disable-polkit option ..."
++                pcscd --disable-polkit
++            else
++                echo "clevis-pkcs11: starting pcscd ..."
++                pcscd
++            fi
++        fi
++    fi
++}
++
+ clevis_parse_devices_array() {
+     INPUT_ARRAY=$(pkcs11-tool -L | grep Slot)
+     counter=0
+diff --git a/src/pins/pkcs11/tests/pin-pkcs11 b/src/pins/pkcs11/tests/pin-pkcs11
+index 94e1548..c876ca4 100755
+--- a/src/pins/pkcs11/tests/pin-pkcs11
++++ b/src/pins/pkcs11/tests/pin-pkcs11
+@@ -20,6 +20,7 @@
+ . pkcs11-common-tests
+ . tests-common-functions
+ . clevis-luks-common-functions
++. clevis-pkcs11-common
+ 
+ on_exit() {
+     exit_status=$?
+@@ -150,5 +151,16 @@ then
+ (${WRONGCFG})"
+ fi
+ 
++if command -v ps && command -v killall; then
++    if ! clevis_start_pcscd_server;
++    then
++        error "${TEST}: Could not start pcscd server"
++    fi
++    if ! killall -9 pcscd;
++    then
++        error "${TEST}: Could not kill pcscd server"
++    fi
++fi
++
+ softhsm_lib_cleanup
+ test "$?" == 0

SOURCES/0004-tpm2-use-first-pcr-algorithm-bank-supported-by.patch

@@ -0,0 +1,65 @@
+--- clevis-21.old/src/pins/tpm2/clevis-encrypt-tpm2	2024-09-24 10:27:06.000000000 +0200
++++ clevis-21/src/pins/tpm2/clevis-encrypt-tpm2	2024-11-05 15:54:16.209993587 +0100
+@@ -58,7 +58,7 @@
+     echo
+     echo "  key: <string>   Algorithm type for the generated key (default: ecc)"
+     echo
+-    echo "  pcr_bank: <string>   PCR algorithm bank to use for policy (default: sha1)"
++    echo "  pcr_bank: <string>   PCR algorithm bank to use for policy (default: first supported by TPM)"
+     echo
+     echo "  pcr_ids: <string>   PCR list used for policy. If not present, no policy is used"
+     echo
+@@ -130,7 +130,15 @@
+ 
+ key="$(jose fmt -j- -Og key -u- <<< "$cfg")" || key="ecc"
+ 
+-pcr_bank="$(jose fmt -j- -Og pcr_bank -u- <<< "$cfg")" || pcr_bank="sha1"
++pcr_bank="$(jose fmt -j- -Og pcr_bank -u- <<< "$cfg")" || {
++    if ! pcr_bank=$(tpm2_getcap pcrs |
++            awk '/^[[:space:]]*-[[:space:]]*([^:]+):[[:space:]]*\[[[:space:]]*[^][:space:]]/ \
++                     {found=1; split($0, m, /[-:[:space:]]+/); print m[2]; exit}
++                 END {exit !found}'); then
++        echo "Unable to find non-empty PCR algorithm bank, please check output of tpm2_getcap pcrs" >&2
++        exit 1
++    fi
++}
+ 
+ # Trim the spaces from the config, so that we will not have issues parsing
+ # the PCR IDs.
+--- clevis-21.old/src/pins/tpm2/clevis-encrypt-tpm2.1.adoc	2024-09-24 10:27:06.000000000 +0200
++++ clevis-21/src/pins/tpm2/clevis-encrypt-tpm2.1.adoc	2024-11-05 15:54:16.209993587 +0100
+@@ -91,13 +91,17 @@
+   - *symcipher*
+ 
+ * *pcr_bank*  (string) :
+-  PCR algorithm bank to use for policy (default: sha1)
++  PCR algorithm bank to use for policy (default: first supported by TPM)
+ 
+-  It must be one of the following:
++  Examples of PCR algorithm banks, support depends on TPM chip:
+ 
+   - *sha1*
+   - *sha256*
+ 
++  For the full list of algorithms supported by the TPM chip check output of
++  `tpm2_getcap pcrs` and use the algorithm which shows non-empty list of PCR
++  numbers.
++
+ * *pcr_ids*  (string) :
+   Comma separated list of PCR used for policy. If not present, no policy is used
+ 
+--- clevis-21.old/src/pins/tpm2/pin-tpm2	2024-09-24 10:27:06.000000000 +0200
++++ clevis-21/src/pins/tpm2/pin-tpm2	2024-11-05 15:54:16.209993587 +0100
+@@ -142,8 +142,10 @@
+ # arrays and check if we get the expected pcr_ids.
+ 
+ # Let's first make sure this would be a valid configuration.
+-_default_pcr_bank="sha1"
+-if validate_pcrs "${_default_pcr_bank}" "4,16"; then
++_default_pcr_bank=$(tpm2_getcap pcrs |
++    awk '/^[[:space:]]*-[[:space:]]*([^:]+):[[:space:]]*\[[[:space:]]*[^][:space:]]/ \
++             {split($0, m, /[-:[:space:]]+/); print m[2]; exit}')
++if [ -n "$_default_pcr_bank" ] && validate_pcrs "${_default_pcr_bank}" "4,16"; then
+     test_pcr_ids "${orig}" '{"pcr_ids": "16"}' "16" || exit 1
+     test_pcr_ids "${orig}" '{"pcr_ids": ["16"]}' "16"  || exit 1
+     test_pcr_ids "${orig}" '{"pcr_ids": "4,  16"}' "4,16" || exit 1

SPECS/clevis.spec

@@ -2,7 +2,7 @@
 ## (rpmautospec version 0.6.5)
 ## RPMAUTOSPEC: autorelease, autochangelog
 %define autorelease(e:s:pb:n) %{?-p:0.}%{lua:
-    release_number = 5;
+    release_number = 6;
     base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}"));
     print(release_number + base_release_number - 1);
 }%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}}
@@ -20,6 +20,8 @@ Source1:        clevis.sysusers
 
 Patch0:         0001-PKCS-11-pin-fix-dracut-for-unconfigured-device.patch
 Patch1:         0002-Fix-potential-race-condition.patch
+Patch2:         0003-Fix-to-start-pcscd-appropriately.patch
+Patch3:         0004-tpm2-use-first-pcr-algorithm-bank-supported-by.patch
 
 BuildRequires:  git-core
 BuildRequires:  gcc
@@ -228,6 +230,9 @@ systemctl preset %{name}-luks-askpass.path >/dev/null 2>&1 || :
 
 %changelog
 ## START: Generated by rpmautospec
+* Tue Nov 05 2024 Sergio Arroutbi <sarroutb@redhat.com> - 21-6
+- TPM2 use first PCR algorithm bank supported by TPM
+
 * Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 21-5
 - Bump release for October 2024 mass rebuild: